On Wed, Sep 08, 2021 at 03:52:23PM +0000, Salz, Rich wrote:
> I would like to remove the discussion of pinning from 5126bis for the
> following reason:
[ You surely meant 6125, but let your fingers do the talking... ]
>
> * It’s an escape hatch, saying “do all these things but if you don’t get
> a match, you can pin.”
> * The current wording allows its use, anyway.
> * Pinning is bad.
I disagree with this change, because my read of the spec is that this it
does not describe the "bad" form of pinning that *requires* a previously
observed certificate or public key (e.g. HPKP) to continue to be the one
presented by the server.
Rather, this form of "pinning" is a user-initiated override that allows
a mismatched certificate to be *additionally* acceptable for the service
the user is trying to reach.
For example, MacOS Keychain variously allows users to configure specific
certificates to be trusted for particular peers.
While this is perhaps dangerous in the hands of clueless users, it is
also useful when used correctly.
Perhaps the text can be made more concise, but I don't think full
removal is warranted. This is *not* the fragile key pinning from HPKP.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
